In the cyber-security industry, the only constant, it seems, is change. The threat landscape is always shifting as cyber criminals seek new ways to exploit individuals, corporations, and nations themselves. One significant shift in the threat landscape is with cryptojacking.
While the impact to individuals and organizations is not maleficent like ransomware or theft or destruction of data, cryptojacking still is theft of a different kind. It is theft of compute and power resources that represent corporate financial investments.
This blog post will provide an overview of the cryptojacking problem, why it is an issue for your organization, how to detect it, and what can be done to try and prevent it.
What is Cryptojacking?
A simple cryptojacking definition is the exploitation of endpoints or websites for the purpose of stealing CPU cycles (and the power to run them) in order to mine cryptocurrency.
There are nearly 2,000 different cryptocurrencies, the most well known is Bitcoin, as it was the first. Some cryptocurrencies are more well-known like Ethereum, Ripple, Litecoin, etc. Others like Monero may not be as popular, but they attract more cybercriminals as the criminal activity cannot be traced back to the source. Transactions on the Monero blockchain are private.
In order to perform cryptojacking, cybercriminals either phish individuals into clicking a link that will load the crypto mining code onto the host, or they exploit a website or an ad using script injection. The java script automatically runs when the site is visited or the ad is rendered.
Cybercriminals are also reusing previously successfully exploit vectors and just changing the payload to be the crypto mining code. Why invest in new exploit vehicles when tried and true methods still work?
The Rise of Cryptojacking
According to the Fortinet Q1 2018 Threat Landscape Report, 28% of firms have reported cryptojacking in their environments. This is a 15% increase over Q4 2017. It is anticipated that the instances of cryptojacking will continue to rise. After all, it is a good “business model” for the cybercriminal.
The main expenditure to mine cryptocurrency is electricity and hardware, but in the case of cryptojacking, cybercriminals don’t pay for either, any money earned is pure profit. Using CPUs is not the most efficient crypto-mining architecture; there are now hardware architectures specifically made for crypto mining, called Application-Specific Integrated Circuits, or ASIC. If cyber criminals can get CPU cycles for free, they are willing to make the trade-off between masses of free, stolen CPU cycles and hardware specifically designed for crypto mining that costs thousands of dollars each for the newest models. Cryptojacking is also difficult to detect.
Why is cryptojacking an issue for business?
You may wonder if cryptojacking is just stealing electricity and CPU cycles, is it really that bad? After all, there is no damage to data or the computing resources on your network. In addition, you don’t have to publicly report that you’ve been cryptojacked like you do if intellectual property, the usernames and passwords of your users, or credit card numbers are stolen. In that context, cryptojacking doesn’t seem nearly as bad.
What if your business was based on the number of transactions your company processed? The degradation in processing performance could significantly impact your bottom line. Not to mention the additional financial outlay for the electricity to power the additional CPU cycles consumed by the process of mining cryptocurrency.
Put in simple terms, if you’ve been cryptojacked, you have been exploited — either through a phishing attack or through a script injection of your website, and if you’ve fallen prey to cryptojacking, you’re susceptible to other potentially more malicious threat vectors.
You never know the intent of cyber criminals. They may start with a cryptojacking foothold and make money off of your organization while they probe for other vulnerabilities to exploit.
Any exploitation, no matter how minor it may seem, is a problem and should be addressed. After all, if an employee is phished for cryptojacking, they are likely to fall victim to subsequent phishing schemes which could have a much greater impact to your environment.
How to detect cryptojacking
While cryptomining is compute intensive, cryptojacking can be extremely difficult to detect, especially if the mining processes are throttled to avoid detection.
In the case where an endpoint, or employee computer, is compromised, individuals may report that the CPU cycles are spiking or that the fan on their computer seems to be constantly running, or that their computer is running sluggishly. Cryptojacking will be difficult to detect on an exploited server as they are likely in a data center or network closet, so other detection methods, namely network and performance monitoring, will need to be employed.
Organizations should already be monitoring their network traffic, so tuning the monitoring for indications of cryptojacking should be the first start. Look for connections to mining related IPs. For servers, monitoring the CPU performance can be a significant means to detect cryptojacking. If your organization has a CPU utilization baseline established, set alerts for spikes in CPU performance which is a key indicator of potential cryptojacking compromise. For your website, monitor the website files for modifications and changes in CPU behavior as the site is browsed.
Protect yourself! How to block/stop cryptojacking
Fortunately, there are several means to protect yourself against cryptojacking. Since one avenue for delivering cryptomining code to the target is via phishing, users should be trained regarding how to spot phishing campaigns and what to do if a phishing attack is suspected. Technically, phishing should already be part of your security awareness training, so just update it to cover crypto mining. Endpoints are constantly under attack, and attacks to deploy crypto mining code on endpoints is no different. Endpoint security vendors are updating their offerings to detect crypto mining code.
Regarding browser-based cryptojacking defenses, ensure that web server configurations only allow authorized access and modification to files supporting the website and the website code itself, and to prevent the execution of crypto mining java script code when a website is visited, install a cryptojacking blocker browser extension (e.g. No Coin or Minerblock) on all browser instances. In addition, install an ad blocker to address the threat of ads that have been modified with crypto mining code.
While less damaging than most cyber attacks, cryptojacking is still an attack against your environment and should be handled as such. The delivery mechanisms and code itself will continue to evolve, so staying informed about the changes in cryptojacking attack vectors is important. Use the tools in place now, such as network and performance monitoring tools, as well as firewalls to detect and block malicious sites or infected computers from making connections to mining nodes. Maintaining protections on website code and supporting files will also thwart cryptojacking attacks.
Linford & Company has extensive experience providing SOC 1 Audits, SOC 2 Audits, HITRUST assessments, HIPAA audits, FedRAMP examinations, and more. If you are interested in learning more about any of the services provided by Linford & Co, please view our Services page, or contact us to schedule a free consultation.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.